- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- IF Statement customized EVAL
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IF Statement customized EVAL
Hi All,
need help in my query, formatting an IF statement.
My Code:
index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown"
| rex field=eventuei "uei.opennms.org/nodes/node(?<Status>.+)"
| stats max(_time) as Time latest(Status) as Status by nodelabel
| lookup ONMS_nodes.csv nodelabel OUTPUT sitecode
| table sitecode, nodelabel, Status,Time
My Output:
| sitecode | nodelabel | Status | Time |
| ABM | ARABMLANCCO1 | Up | 1/23/2021 14:35 |
| ABM | ARABMLANCUA1 | Up | 1/23/2021 8:26 |
| ABM | ARABMLANCUA2 | Up | 1/23/2021 8:25 |
| ABM | ARABMWANRTC1 | Up | 1/23/2021 8:25 |
| ABM | ARABMLANCUA3 | Up | 1/23/2021 8:25 |
| ABM | ARABMLANCUA4 | Up | 1/23/2021 8:25 |
| ABM | ARABMAPNOPT1 | Up | 1/19/2021 13:37 |
| ZBQ | BRZBQLANCUA1 | Up | 1/19/2021 13:37 |
Above table am getting from my code.
Requirement :
I want to list down all devices from that sitecode which have any of these name ("*WANRTC*" OR "*LANCCO*" OR "*WLNWLC*"OR "*APNINT*") these keyword in nodelabel. rest all site code should be removed from the list.
In my output. Am having ABM site which matches any of that Keyword and that to be displayed, where as ZBQ doesnt have any of that keyword devices in the list, so it should be removed.
like and IF ("*WANRTC*" OR "*LANCCO*" OR "*WLNWLC*"OR "*APNINT*") any of this present in device names, then the complete list to be displayed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is filtering only devices which have "WANRTC|LANCCO|WLNWLC|APNINT". rest all devices from that site removed. I want other devices also from that site including the above one.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
alright,
Try
index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown"
| rex field=eventuei "uei.opennms.org/nodes/node(?<Status>.+)"
| stats max(_time) as Time latest(Status) as Status by nodelabel
| lookup ONMS_nodes.csv nodelabel OUTPUT sitecode
| table sitecode, nodelabel, Status,Time
| eventstats values(eval(if(match(nodelabel,"WANRTC|LANCCO|WLNWLC|APNINT"),1,null()))) as isPresent by app
| where isPresent == 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does this help?
index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown"
| rex field=eventuei "uei.opennms.org/nodes/node(?<Status>.+)"
| stats max(_time) as Time latest(Status) as Status by nodelabel
| lookup ONMS_nodes.csv nodelabel OUTPUT sitecode
| table sitecode, nodelabel, Status,Time
| where match(nodelabel,"WANRTC|LANCCO|WLNWLC|APNINT")
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
